Tag Archives: Cellebrite

Is the Apple Losing its Shine?

Last week there were multiple reports that Petah Tekvah, Israel based Cellebrite could unlock any iPhone up to and including the iPhone X running the most current version of the Apple OS, but you had to send the phone to them along with a check for $1,500, per phone.

This week there is a report that Grayshift, an American startup, is reporting that it too can unlock your iPhone for the cops.

Wait, I just got a phone call.  My grandmother says that she can unlock any iPhone and she will do it for free.  Just kidding about that one, but two different companies, one week apart are saying they can hack any iPhone.  This seems really strange.

Grayshift was apparently founded by some U.S. intelligence community contractors and a former Apple security engineer.

They are privately circulating a data sheet that says that if you buy their software you can unlock 300 phones for $15,000 or an unlimited number of phones for $30,000.  The cheap version (a relative term) must be used online (so, I assume, that you cannot cheat them);  the expensive version can be used offline since it doesn’t need to keep track of how many phones you have unlocked.

The software itself is called GrayKey.

Apparently, right now, GrayKey will only unlock phones running iOS 10 and 11 – which is likely the majority of iPhones, but a version that will unlock iOS 9 is coming soon.

One guess is that these firms have figured out how to hack into Apple’s Secure Enclave, the heart of the security of the iPhone.  *IF* that is true, that is a real problem.  Of course Apple could figure out what both of these firms are doing and make them start over.  In the case of GrayKey, since the system is delivered to a paying customer, if Apple engineers can, somehow, get access to the system they can probably figure out what the software exploits.

It is also speculated that the attack might be a brute force attack, meaning that it starts with “A” and goes to “B” and then “C” and so on until it unlocks the phone.  Again, *IF* this is true, the longer the password is, the harder it is to use this technique.  For example, if the password is 8 characters and only uses letters and numbers, then there are ONLY 218,340,105,584,896 or 218 trillion possible guesses.  On the other hand, a 12 character password raises that number to 3,226,266,762,397,899,821,056 or 3 sextillion possibilities.  Passwords longer than 12 characters would require even more guesses.

The moral of this story is that long passwords, even with just upper and lower case letters plus numbers and no special characters will take a long time to crack.  One article said that a 12 character password would take 200 years to crack at a billion guesses per second.  If it does take that long, even if they do succeed, you won’t care.  Using that same billion guesses a second, an 8 character password would only take 60 hours.

I think this story is not over;  stay tuned for updates.

Information for this post came from Forbes.

Facebooktwitterredditlinkedinmailby feather

The Feds (and Others) Can Probably Unlock Any iPhone Ever Made

Here’s something you don’t hear every day.

Cellebrite, a cell phone hacking vendor based in Petah Tikvah, Israel, claims that they can unlock any iPhone ever made, including the iPhone X running iOS 11.2.6 .

Cellebrite, who offers their services to the highest bidder – mostly law enforcement and governments, both ones that have a better track record with privacy and those that have a horrible privacy record such as Russia – has  made a business out of offering forensics services pretty much to anyone who’s check will clear.  That is probably being a bit unfair, but they were hacked themselves last year and from the data that was released, the statement above does not appear to be too far off.

In any case, typically the newer phones are harder to hack.  You may remember that the FBI paid someone over a million dollars to hack into the iPhone of the San Bernadino shooter after the FBI did not reach out to Apple in a timely manner and get directions on how to unlock it.  In the case of iPhones, usually waiting is your enemy because after a phone is locked for too long, extra security features kick in making it harder to unlock.

Apple adds new security features with every release, so it is especially embarrassing to Apple that their newest flagship phone – one that costs over a thousand dollars at retail – running its newest operating system can, apparently,  be popped open like a can of Coke or Pepsi.

This hacking process is typically a cat and mouse game – the hackers figure out how to break in and Apple fixes it after they find out and the process starts over.

In this case,  in order to maintain their revenue stream for as long as possible, Cellebrite has added a twist to the unlock process.

Normally the unlock features are added to their software which police departments and repressive governments license for an annual fee.  This time the agency has to send the phone to Cellebrite which will charge them a fee of around $1,500 per phone to unlock and they will return the phone unlocked.

Lets say that governments and others send them just 1,000 phones – the NY DA alone said that he had 400 phones that he would like unlocked, so that number is stupid low – then that would generate an extra million and a half dollars to their revenue for the year.

The other thing that it does is protect the bug that they found from being identified and fixed by Apple.  There are likely businesses who are friendly to Apple and who have licensed Cellebrite’s software.  If unlock feature was added to the software then Apple would connect a test phone with extra debug features to the Cellebrite software and likely figure out exactly what Cellebrite is exploiting so that they can plug the hole.

So this method – forcing the cops to write a check and send them the phone both provides a major revenue boost and preserves the bug for a longer time.

All that not withstanding, I am sure that Apple is scratching their collective heads trying to figure out what Cellebrite is doing.

And, just to be clear, this is not a theoretical issue.  Homeland Security has already written a check to get at least one iPhone X unlocked.

If you are a terrorist or someone who would prefer that the feds or other repressive governments can’t see what is on your phone, do not count on Apple to be able to provide that to you, at least for now.

Information for this post came from Forbes.


Facebooktwitterredditlinkedinmailby feather

Cellphone Hacker Becomes Hackee

The Israeli company Cellebrite, known for building hardware and software to extract data from most cell phones, was itself hacked.

Earlier this week a hacker gave Motherboard 900 gigabytes of data from Cellebrite.  We do not know if this is all they have or merely the beginning of a long trickle.

Motherboard says that there was a lot of technical data, customer information, customer trouble tickets, device images.

At this point, it is not clear what the hacker plans to do with the data.

The trouble tickets give some indications of countries that they sell to such as Turkey, United Arab Emirates and Russia.

While Cellebrite says that they only sell to governments (police and military), some of those governments have a questionable civil rights record.

Cellebrite, in defending themselves, said the hack was illegal.  Some people say that while the software that they make and sell may be technically legal (they say they are not responsible for how their software is used), it is used in ways that may not be morally supportable.  Of course, that is a very subjective conversation.

Besides saying that the hack was illegal, they said that the data was from an old, web facing customer portal.

What we do not know is how much other data was taken and whether there will be “interesting” information in the device images that were stolen.

Certainly Cellebrite is not unique in selling hacking software to questionable countries, nor are they the first – or last – “hackers” to be hacked themselves.

If, in fact, the data taken was from an old server used by customers who had not moved to a new server, it points out that those migrations should be managed so that old servers don’t stick around any longer than needed.  Servers that are not powered on are hard to hack.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Hand Over Your Phone If You Are In An Accident!

In the “what could go wrong with this” department, New York lawmakers are considering a piece of legislation that would require drivers who are involved in an accident to submit their phone to roadside testing to determine if they were using their device prior to crashing the vehicle.  License, registration, proof of insurance and phone, please.

Refusing to turn over your phone would cause an immediate suspension of your license or cross-state permission to drive in New York.

While this bill has not been passed – or signed into law – the mind boggles as to how this could be abused and misused.

Here is the concept:  the cop would take your phone and plug it into a forensic analyzer like the ones that the police already use when they seize a phone at a crime scene.  Companies like Cellebrite, the Israeli/Japanese company that was originally thought to have unlocked the San Bernadino shooter’s phone, are already working on software to do this.

To attempt to get around the Fourth – and Fifth – Amendment issues, the software that Cellebrite is developing, supposedly, would not capture conversations, contacts, phone numbers and other stuff that, in theory, would require a warrant.  I *definitely* believe that.

This bill follows some intense lobbying from a group called Distracted Operators Risk Casualties (DORC).  Like MADD, the son of the group’s co-founder was killed by a supposedly distracted driver.

Assuming this bill makes it into law, I am sure it will be the source of many court cases, possibly up to and including those 8 folks in black robes in Washington.

If the phone is locked or encrypted, I gather, you will be required to unlock and thereby decrypt the data for the cops.

What the FBI could not get Apple to do, maybe the NYPD can get the owner to do.  Note that, it appears, it does not matter if you are at cause.

While Cellebrite could, possibly, be honest in what data they are extracting, the FBI has already admitted that they have technology to snoop on your phone.  What is to stop a police officer from inserting that technology while “checking” your phone for distracted driving?  Or, in an admittedly even more far fetched case, causing an accident to happen in order to get their hands on your phone to insert that technology.

It is also unclear if the law applies to passenger’s phones.

On the other hand, having a burner phone handy could be a simple way around the problem.

A more subtle way around this is to use virtualization technology like Samsung Knox or Google’s Android for Work, which encrypts the data on the phone in a separate partition.  As long as that partition is not active at the time, my guess is that the Cellebrite tech would not be able to read it – short of any bugs in the software that make it vulnerable.

One more other thing to consider.  There is already a way to get this data which is a lot less invasive and that is to ask the driver’s cell phone carrier for usage data.  This requires a warrant, which requires more work, but also protects people’s privacy.  Curiously, this is exactly what they did in the case of DORC’s co-founder’s son’s accident – and they did find that the phone was in use near the time of the accident.


Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather